AMENDMENTS TO THE CLAIMS 

The following listing of claims will replace all prior versions and listings of claims 
In the application. 

Listing Of Claims 

1. (currently amended) An application tunneling method for establishing 
communication in a notwor k between distributed application modules in different private 
networks without requiring modification and administration of communication protocols 
of existing security protection network devices, includino one or more firewall, network 
address translation protocol, or proxy sen/ers. comprising: 

dotormining communication data of a first notwork poor that ic connoctod 
to a first notwork and that oommunioatos with an intornotwork through a first tunnol, tho 
communication data inc l uding an i ntornotwbrk addrosc and port for tho first notwork 
poor to rocoivo mossagoc via tho intornotwork; 

rogiotoring tho communication data with a lookup corvico that is ava i lable 
through tho i ntornotwork; 

rocoiving a communication roquoct from a second notwork poor that is 
connoctod to a second notworl< and that communioatos with tho l ookup oorvico through 
tho intornotwork; 

providing tho communication data of tho first notwork poor to tho second 
notwork poor; and 

Bonding moosagoc, according to tho communication data, from tho cocond 
notwork poor diroctly to tho first notwork poor via tho first tunnol 



Serial No. 10/614.909 



Page 2 of 25 



employing a distributed communication architecture, the architecture 



at least one tunnel registration and lool< up service module supporting 
dynamic registration and access of communication data including one or 
more of the followina types of information: (\) logical name: (ID unigue 
identifier: (WW communication address: port: or N) a service capability 
link pointing to a data type descriptor describing one or more of the 
following types of data: direct or indirect tunneling: security information: 
tunnel protocol type: or address mapping information for distributed 
application modules: 
(b) at least one tunnel service software module that is independent from the 
existing security protection network devices to relay communication data 
for a local application module to an external network: 
fc) at least one tunnel session that is independent from the security network 
protection devices and can be dynamically configured to receive 
messages from and send messages to different ones of the application 
modules and a tunnel module co-located with a session control module: 
and 

(6) at least one tunnel message switching service supporting indirect 
tunneling specified in capability descriptors of tunnel sessions established 
between two or more remote tunnel services behind private networks; 



including: 



Serial No. 10/614,909 



Page 3 of 25 



wherein emplovina the distributed communication architecture results in multiple 
aPDiication tunnel networks over multiple private network s that have the following 
properties: 

(a) without reauirina design or configuration changes of the existing securitv 
orotection network devices, the tunnel networks only require that one or 
more of the private networks allow for outgoing web access to one or 
more commonlv accessible and secure web servers usin g a most 

. common HTTP protocol: 

(b) the tunnel networks allow dvnamic selection of a dditional tunneling 
methods based on allowable inbound and outbound filt ering policies of the 
Private networks: and 

(c) the tunnel networks onlv feed application communication module IP 
address, port number, and application data to tunnel sen/lce servers. 
thereby rendering a tunneling operation Of an application independent and 
protected from administration of existing private networks . 

2. (currently amended) The method of claim 1 whereini 

the c ommunication data further comprises at least one of firewall 
restrictions^ [[and ]]a tunnel protoco l, or port mapping infonmat ion obtained bv a 
discoven/ module which observes the firewall restriction, interacts with an ex ternal UDP 
brokerage service (UBS^ to allocate a port in a Network Address Tr anslator (NAT) bv 
sending a message to the UBS through the NAT, discovers the port m apping from the 
NAT through UPnP protocol and register the mapping to Look-up service: 
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a registration service in a public network accepts registration requests 
from at least one tunneling service in a private/secured networlc. which is connected to 
the public network via a firewall or networl< address translating device, the registration 
service authenticating the registering tunneling sen/ice, using certificates for processing 
the registration reouests. and issuing registration responses to the reguests: 

a lookup sen/ice accepts lookup reguests from at least one tunneling 
service in the private/secured network, and sends lookup results in response to the 
reouests . 

3. (currently amended) The method of claim 1 further comprising 
authenticating the communication request at a[[the]] lookup sen/ic e indeoendentlv from 
private and secure network devices for at least two tunnel services to establish a secure 
tunnel session so that multiple communication peers can use one or more secure tunnel 
sessions to exchange messages through an external tunnel switching service or directly 
send messages to one or more ports specified in a look-up sen/ice to achieve secure 
tunneling of application data with dvnamic selection of a tunnel switching service for 
indirect communication, or without tunnel switching services for direct communication to 
the tunnel sen/ice independent from the existing network devices . 

4. (currently amended) The method of claim 3 wherein the communication 
request Includes a certificate indicative of a .tho oooond networi< p eer to allow a tunnel 
switching server to authenticate a message sent from a sender indeoendentlv f rom any 
existing private security network devices . 
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5. (currently amended) The method of claim 4 wherein authenticating the 
communication request includes providing a tunnel identifier to the eeeoncl-network peer 
In response to ^Vno]] certificat e, wherein the tunnel identifier is used bv the tunnel 
switching service to associate with a message queue and communication data specified 
in look-up services . 

6. (currently amended) The method of clai m 2 further compricin a 5 wherein 
the architecture further includes a tunnel module reouesting an extemal tunnel switching 
server to create cr e ating a message queue with associated session ID and certificate 
for one of t he fifst-network pee rs to allows for another of the network peers to 
authenticate and send messages through the tunnel module to the message queue in 
an extemal tunnel switching sen/ice sen/er in a dynamic fashion . 

7. (previously presented) The method of claim 6 further comprising adding 
the communication request to the message queue. 

8. (currently amended) The method of claim 7 wherein the message queue 
is a proxy queu e that is created bv the tunnel switching service for one remote tunnel 
service to receive messages from another remote tunnel service asynchronously . 
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9. (original) The method of claim 7 wherein creating the message queue 
Includes creating the message queue at a server remotely located from the first network 
peer. 

10. (currently amended) The method of claim 7 wherein creating the 
message queue includes creating the message queu o at a location of tho lookup 
sQfvie e in a tunnel switching service based on data specified in the lo okup service, the 
tunnel sen/ices send and receive messages to and from message queues th rough the 
tunnel switching sen^ice using HTTP. SOAP or a proorietarv message pr otocol based 
on a local private network security policy and firewall restriction s, and size of the 
messages can be reduced to support real-time traffic or increased to support large 
batched traffic . 

11. (currently amended) The method of claim 7 further comprising tracking 
the location of the message queue at the lookup servic e so that tunnel s ervices can use 
more than one message gueues to receive messages to support hioh perform ance and 
reliabilitv . 

12. (cancelled) 

13. (cancelled) 
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14. (currently amended) rrAlTThe method rrforl lof claim 2. further comprising 
dynamically registering and s electing a tunnel protocol in a networ k comprising^ 
including : 

dotomiining protoco l data of a f i rct notwork poor that is connoctod to a firct 
network and that oommunicatos with an intomotwork through a firot tunnel; 

rogiotoring the protocol data with a lookup oorv i co that io avai l able through 
the intomotwork; 

rocoiving a communication roquost from a socond notwork poor at the 
lookup sorvioo; 

providing the protocol data of the first notwork poor to the socond notwork 

peefr 

oolocting a tunne l protocol at the socond notwork poor according to tho 
protocol data; and 

conding a message from th e socond n e twork poor to tho fir s t notwork poor 
according to tho tunnel protocol 

emplovina a tunneling service in a private/secured network to acceot data 
from at least one application in its local network, and forward data accepted from local 
applications to a tunnel switching sen/ice in an external public network through a firewall 
or network address translating router that connects the external public network and the 
private/secured network. 

wherein a tunneling service in the private/secured network accepts data 
from the tunnel switching service in a public network via a local firewall or network 
address translating router, fonwards the data to at least one application in its local 
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network, and, based on content specified in the look-up service, allows two or more of 
the following alternatives to be selected dynamically: 

(a) using HTTP to get a message from the tunnel switching server 

(b) receiving data directly from the UDP ports that is used to sent out 
UDP set UD packet through interaction with UBS: 

(c) using TCP to send and receive data; 

(d^ using UDP for sending and HTTP for receiving messages from a 
message oueue in a tunnel switch: 

(e) using encryption for IP address and port: 

(f) using encryption for data: 

(g) using new communication protocols as supported bv private 
networks on an individual basis: or 

(h^ combinations of the above as supported bv private networks on an 
individual basis . 

15. (cancelled) 
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1 6. (currently amended) A lookup service In a network comprising: 

a first tunnel service m odule that acquires communication data of an 
associated network peer that Is connected to a first network, wherein the first tunnel 
service module facilitates communication between the network peer and an 
internetwork; 

a registration table that stores the communication data and that Is 
accessible via the internetwork; and 

a second tunnel service module that sends a communication request to 
the registration table, acquires the communication data from the registration table, and 
sends a communication attempt to the first tunnel based on the communication data^ 

wherein said look-up service does not limit a number of entries for each 
communication session between two tunnel services, thereby aliowina applications to 
group multiple message queues to create parallel communication channels between a 
pair of tunnel services . 

17. (currently amended) The lookup sen/ice according to claim 16 further 
comprising a discovery module that acquires the communication data at least one of 
during start up of the tunnel service or based on predetermined conditions resulting In or 
resulting from a chanoe of the communication data . 

18. (original) The lookup sen/Ice according to claim 16 further comprising a 
registration module that registers the communication data with the registration table. 
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19. (original) The lookup service according to claim 16 wherein the 
communication data includes at least one of a logic name, a unique identifier, a 
communication address, a port, a communication protocol, and service capabilities. 

20. (original) The looloip sen/ice according to claim 16 wherein the 
communication request includes a certificate indicative of the second tunnel module. 

21. (original) The lookup service according to claim 20 wherein the 
registration table sends a tunnel identifier to the second tunnel in response to the 
certificate. 

22. (original) The lookup sen/ice according to claim 21 wherein the 
communication attempts includes the tunnel identifier. 

23. (original) The lookup service according to claim 22 wherein the first tunnel 
verifies the tunnel identifier with the registration table and accepts the communication 
attempt. 

24. (cun-entiy amended) The lookup service according to claim 16 wherein 
the first and second tunnels include a cach e to store communic ation data to support fast 
access needed for dynamic selection of direct and indir ect tunneling with different 
protocols . 



Serial No. 10/614,909 



Page 1 1 of 25 



25. (original) The lookup service according to claim 24 wherein the cache 
stores the communication data. 



26. (original) The lookup sen/ice according to claim 25 wherein the cache 
retrieves the communication data from the registration table. 

27. (original) The lookup sen/ice according to claim 16 further comprising a 
message queue. 

28. (cancelled) 

29. (cancelled) 

30. (cancelled) 

31. (cancelled) 

32. (cancelled) 

33. (cancelled) 

34. (cancelled) 
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35. (cancelled) 

36. (cancelled) 

37. (New) A method for establishing communications between applications In 
different secured or private networks comprising: 

employing an application independent (web-based) tunneling service in 
each of the private networks, which are connected to a public network through firewall 
or network address translating routers; 

employing a tunnel registration and lookup sen/lce In the public network; 

and 

employing a tunnel switching sen^ice in the public network. 

38. (New) The method of claim 37, further comprising tunneling different 
application data from a first private/secured network to at least one second 
private/secured network. 

39. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network includes employing a tunneling service in a private/secured network accepting 
data from at least one application In Its local network. 

40. (New) The method of claim 38, wherein tunneling different application 
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data from the first private/secured network to the at least one second private/secured 
network includes employing a tunneling sen/ice in the first private/secured network 
forwarding data accepted from local applications to the tunnel switching service in the 
extemal public network through a firewall or network address translating router that 
connects the external public network and the private/secured network. 

41. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network includes employing a first tunneling service in the first private/secured network 
fonwarding data accepted from local applications to at least one second tunneling 
service In the second private/secured network via a first local firewall/network address 
translating router, the tunnel switching sen/ice in the public network to which the first 
local router is connected, and a second firewall/network address translating router that 
connects the public network to the at least one second private/secured network. 

42. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network includes employing a first tunneling sen/ice in the first private/secured network 
fonwarding data accepted from local applications to at least one second tunneling 
sen/ice in the second private/secured network via its local firewall/network address 
translating router, the public network to which the local router is connected, and a 
firewall/network address translating router that connects the public network to the 
second private/secured network. 
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43. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network includes employing a tunneling service in the second private/secured network 
accepting data from the tunnel switching sen/ice in the public network via a local firewall 
or network address translating router. 

44. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network includes employing a first tunneling service in the first private/secured network 
accepting data from a second tunneling sen/ice in the at least one second 
private/secured network via a firewall/network address translating router of the at least 
one second private/secured network, the tunnel switching service in the public network, 
and a firewall^network address translating router of the first private/secured network. 

45. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network includes employing a first tunneling sen/ice in the first private/secured network 
accepting data from at least one second tunneling service in the at least one second 
private/secured network, via a firewall/network address translating router of the at least 
one second private/secured network, the public network connecting the private 
networks, and a firewall/network address translating router of the first private/secured 
network. 
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46. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network includes employing a tunneling sen/ice in the at least one second 
private/secured network fonwarding data that is accepted from the tunneling switching 
service in the public network to at least one application in Its local network. 

47. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network includes employing a first tunneling service in the first private/secured network 
fonwarding to at least one application in its local network data that is accepted from a 
second tunneling service In the at least one second private/secured network, via a 
firewall/network address translating router of the at least one second private/secured 
network, the tunnel switching service in the public network, and a firewall/network 
address translating router of the first private/secured network. 

48. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network incfudes employing a first tunneling sen/ice in a first private/secured network 
forwarding to at least one application in its local network data that is accepted from a 
second tunneling service in the at least one second private/secured network, via a 
firewall/network address translating router of the at least one second private/secured 
network, and the firewall/network address translating router of the first private/secured 
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network. 



49. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network includes employing a technique wherein at least one tunnel sen/ice in one of 
the private/secured networks, registers itself to a registration sen/ice in a public network, 
which is connected to the private/secured network by a firewall/network address 
translating device/router. 

50. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network includes employing a technique wherein at least one tunnel service in one of 
the private/secured networks registers at least one tunnel to a registration sen/ice in the 
public network, which is connected to the private/secured network by a firewall/network 
address translating device/router. 

51. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured network to the at least one second private/secured 
network includes employing a technique wherein a first tunnel service in the first 
private/secured network accesses a registration service, which is connected to the first 
private/secured network by a firewall/network address translating device/router and the 
at least one second private/secured network by a firewall/network address translating 
device/router, to look up for a second tunnel service in the at least one second 
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private/secured network. 



52. (New) The method of claim 38, wherein tunneling different application 
data from the first private/secured networl< to the at least one second private/secured 
network includes employing a technique wherein a first tunnel service in the first 
private/secured network accesses a registration sen/ice, which is connected to the first 
private/secured network by a firewall/network address translating device/router and at 
least one second private/secured network by a firewall/network address translating 
device/router, to look up for a tunnel provided by a second tunnel sen/ice in the second 
private/secured network. 

53. (New) The method of claim 37, further comprising employing a technique 
to switch tunnels between different private/secured networks. 

54. (New) The method of claim 53, wherein employing the technique to 
switch tunnels between different private/secured networks includes employing a lookup 
table in the tunnel svyitching sen/ice in the public network that maps at least one tunnel 
from at least one tunneling sen/ice in at least one private/secured network, which is 
connected to the public network via a firewall/network address translating device/router. 

55. (New) The method of claim 53, wherein employing the technique to 
switch tunnels between different private/secured networks includes employing the 
tunnel switching service that accepts data from at least one tunnel service in at least 
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one of the private/secured networks, which Is connected to the public network via a 
firewall/network address translating device/router. 

56. (New) The method of claim 53, wherein employing the technique to 
switch tunnels between different private/secured networks includes employing the 
tunnel switching service that looks up in a lookup table for a destination tunnel semce 
for data accepted from at least one tunnel service in at least one of the private/secured 
networks, which is connected to the public network via a firewall/network address 
translating device/router. 

57. (New) The method of claim 56, wherein employing the technique to 
switch tunnels between different private/secured networks includes employing a tunnel 
switching service that fonwards data accepted from at least one first tunnel service in at 
least one first private/secured network, which is connected to the public network via a 
firewall/network address translating device/router, to at least one second tunnel sen^lce 
in at least one second private/secured network, which is connected to the public 
network via a firewall/network address translating device/router, according to the results 
of lookup. 
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